Timeouts for LDAP with NPath Routing

Question

Hi All,&nbsp;
&nbsp;I'm attempting to use NPath Routing for a pool of LDAP Servers.  I've got it working great, except for an issue with what I'm assuming is an idle timeout.  SOme of the LDAP clients (I have no control over them) try to keep a persisant connection to the LDAP server and at some point, the connection is being severed. I'm guessing its the idle timeout on the NPath L4 profile I have?  Its currently set at the default of 300 sec.  I was considering setting it to slightly over 2 hours, so the keepalive ping from the server (which I believe is 2 hours for linux) would keep any persisent connections open.  Do you think this is the cause?  DO you think changing the idle timeout would help?  &nbsp;
&nbsp;How can I keep an eye on these persisent connections to make sure they don't accumulate too fast?&nbsp;
&nbsp;Thanks in advance!&nbsp;
&nbsp;Al

hooleylist · Answer

Hi Al, 
&nbsp;  
&nbsp; I don't see any issues with extending the FastL4 profile idle timeout.  You can check the 'b conn' output for the number of connection table entries.  Note that b conn will only return 7037 connections: 
&nbsp;  
&nbsp; sol6573: The bigpipe conn command displays a maximum of 7,037 connections 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6573.html 
&nbsp;  
&nbsp; Aaron

al_faller_1969 · Answer

Hi Aaron,&nbsp;
&nbsp;Thanks for your input.  I made the change and it has definitely improved things.  I have found no negative effects either.&nbsp;
&nbsp;Regards,&nbsp;
&nbsp;Al&nbsp;

hamish · Answer

FWIW I used to run a quite large LDAP directory behind F5 LTM's. It isn't uncommon for apps to leave idle connections for many hours and then expect them to be up and running instantly still... 2 hours may be too short. 
&nbsp;  
&nbsp; However there is a chance that either the client or the server will be specifying SO_KEEPALIVE on the sockets. If so, then setting the tcp keep interval to something reasonably short (Defined as about 2/3's of the minimum idle timeout value of all the devices in the solution) will mean that the IP stack itself will send keepalives (Basically it'll send ACK packets now and again so the endpoint, and any firewall/stateful devices in the path know the endpoints havent 'gone away'). 
&nbsp;  
&nbsp; H

coda6_52611 · Answer

I am trying to design a solution for npath routing and AD LDAP services, are your pool members all on the same subent, or are they on different subnets? The articles I found on the KB only give examples for a single subnet. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Ken

nitass · Answer

are your pool members all on the same subent, or are they on different subnets?if i am not wrong, since destination address is not translated, pool member must be in the same subnet as bigip (connected subnet).

Forum Discussion

Timeouts for LDAP with NPath Routing

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

big3d timeouts

SNI Routing with BIG-IP

HTTPS Routing based on Client Certificates values with F5 Distributed Cloud

BIG-IP BGP Routing Protocol Configuration And Use Cases

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS